[From nobody Mon Apr 6 16:07:07 2026 Received: (at 1132268-close) by bugs.debian.org; 6 Apr 2026 15:05:26 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-113.0 required=4.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FVGT_m_MULTI_ODD, HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_NONE,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 6; hammy, 150; neutral, 319; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo., 0.000-+--H*MI:fasolo Return-path: <envelope@ftp-master.debian.org> Received: from mitropoulos.debian.org ([2001:648:2ffc:deb:216:61ff:fe9d:958d]:60094) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1w9lW2-000hfG-1v for 1132268-close@bugs.debian.org; Mon, 06 Apr 2026 15:05:26 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by mitropoulos.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1w9lW0-00DMUO-36 for 1132268-close@bugs.debian.org; Mon, 06 Apr 2026 15:05:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=ks2zkOn/k8f73CIAPCKF4sUI1WIMTBQkJLmxV/aOznA=; b=XJ+CzUdgfFqQDOTZucEupWDBzy oPPix/LYLB790HmDkmcd2H+t9ByWvrdXQQEkLsB/o0I5C2+U9Ebie0qJAWT6ZP8fPy0oILtQzSPv5 4YznT753LTsgZ+3X8LWSsxRoVMyE9l295Q2LBzMCk/2txbfP2VyrLA52t3alHiQgq5JtSgrJMWwmA rn4mGXgJYgO3np3NFTDeviUxAwuGKvvutEbmTrAcAqoxxOtLhYIR0fEY3z/sWDfV9PyvD7xvqMLgR VLYv6uuSyFvHpj9n9TPgPk4IDsDtltcxzWCghUM7nC4un5iiVRaB0dpBElDAXgIAn2rz4ELq7mtMZ LDZA6ksw==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1w9lVz-00000000m3x-3IBJ; Mon, 06 Apr 2026 15:05:23 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: Guilhem Moulin <guilhem@debian.org> To: 1132268-close@bugs.debian.org X-DAK: dak process-policy X-Debian: DAK X-Debian-Package: roundcube Debian: DAK Debian-Changes: roundcube_1.6.5+dfsg-1+deb12u8_source.changes Debian-Source: roundcube Debian-Version: 1.6.5+dfsg-1+deb12u8 Debian-Architecture: source Debian-Suite: oldstable-proposed-updates Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1132268: fixed in roundcube 1.6.5+dfsg-1+deb12u8 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============7618697840108990290==" Message-Id: <E1w9lVz-00000000m3x-3IBJ@fasolo.debian.org> Date: Mon, 06 Apr 2026 15:05:23 +0000 X-CrossAssassin-Score: 2 --===============7618697840108990290== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: roundcube Source-Version: 1.6.5+dfsg-1+deb12u8 Done: Guilhem Moulin <guilhem@debian.org> We believe that the bug you reported is fixed in the latest version of roundcube, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1132268@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 20 Mar 2026 19:15:19 +0100 Source: roundcube Architecture: source Version: 1.6.5+dfsg-1+deb12u8 Distribution: bookworm-security Urgency: high Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-li= sts.debian.net> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 1131182 1132268 Changes: roundcube (1.6.5+dfsg-1+deb12u8) bookworm-security; urgency=3Dhigh . * Cherry pick upstream security fixes from v1.6.14 and v1.6.15 (closes: #1131182, #1132268): + Fix CVE-2026-35537: Pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler. + Fix CVE-2026-35538: IMAP Injection + CSRF bypass in mail search. + Fix CVE-2026-35539: XSS vulnerability in HTML attachment preview. + Fix CVE-2026-35540: SSRF and information disclosure vulnerability via stylesheet links pointing to a local network hosts. + Fix CVE-2026-35541: A password could get changed without providing the old password in some situations. + Fix CVE-2026-35542: Remote image blocking bypass via a crafted <body> background attribute. + Fix CVE-2026-35543: Remote image blocking bypass via various SVG anima= te attributes. + Fix CVE-2026-35544: Fixed position mitigation bypass via use of `!important`. + Fix CVE-2026-35545: SVG animate FUNCIRI attribute bypass (remote image loading via fill/filter/stroke). * Add custom patch to avoid runtime dependency on mlocati/ip-lib which is not present in bookworm. Checksums-Sha1: a95c6a9aaf4667b202da4cddfd8972f13e0e0b51 3833 roundcube_1.6.5+dfsg-1+deb12u8= .dsc 75e8f83121324fcf70adecf57378e2e42210d29a 130548 roundcube_1.6.5+dfsg-1+deb12= u8.debian.tar.xz 78e4665c4a53ec24e82a59ef862bcffacec8e211 6238 roundcube_1.6.5+dfsg-1+deb12u8= _source.buildinfo Checksums-Sha256: d04503b681969d1541aaf9523a7a565bdaf4789b72923e7615376423f8b41cad 3833 roundc= ube_1.6.5+dfsg-1+deb12u8.dsc 489d5acb099250123e0a5e058202299400ac57492e941f555055e13b477805b0 130548 roun= dcube_1.6.5+dfsg-1+deb12u8.debian.tar.xz 48f77db6f2d21add8b342ab57c05d7c93057cb42b399898e86ddcaa3850a661d 6238 roundc= ube_1.6.5+dfsg-1+deb12u8_source.buildinfo Files: bffef305afbe28b922814c1692687734 3833 web optional roundcube_1.6.5+dfsg-1+de= b12u8.dsc ac9ac632a4e422f52c0022b5278365c8 130548 web optional roundcube_1.6.5+dfsg-1+= deb12u8.debian.tar.xz b5e0596543fee232be22cb56597c742c 6238 web optional roundcube_1.6.5+dfsg-1+de= b12u8_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmnPahoACgkQ05pJnDwh pVL5MxAAlsg+6JLU+WOtuEDFQDeumMIw5FJlBHKoXbVcS6Vx96lQs37OJ81W2bzp +GZUKi9mO+QPViFjC727oCvXvHtp2qXAjwEZX9AF2znnurqQWACl+pimJHvIbmVC kYQaDDkgjFxuD7Zy2U2ve8PEazkbbegoB4CutaDX87VbFZwwBrcN5qFaUO7OnWSZ 0+Tfoi9cMKCjFCIEk7ZLMImxlmnC5LkUwveEalv95E3Qjjy32Lb2E65YkrfHjeZx DkzHHb46K2OCAXIspmN0KlFApD88INqOLdaZmidOa1JNBmX4Dt9pFhyWMpkso7++ LXB4ngXnimZiZEPS164zriORUzkZk2fkoHVm+pxCJEZ2aqfkBD+935lxm5tb4Z18 +A7oZm+oXP8Ay2GhggiqwAj2LmcxY6YYrt4XlELpJ+bKTgT4outS2mu6BYji8j3Q XQH+nYPkKXOW62yysxfdNo29WLt+CQV8dHDN/utLSPrGs2WQW7WxjCLjfgiWuaHO 2wrfxKufH+U0VJJsAdI5vM1sLKMKdSyk3f7rNgboC2SzYmhmTSqTzLfIP5KVvgX7 2Q40YHpyrhP62KtnCo0H4YlPsEfQnW5MkiL6JOcyuz4+PFicdXbAZSh2DwrN9Wdx zaSAHT5Wrdhjm4rKUAyIsmCiEaIBPdgJ3gTW4P/x593R+6BdFmI=3D =3DqGOR -----END PGP SIGNATURE----- --===============7618697840108990290== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCadPLswAKCRCb9qggYcy5 IViXAP0UcPVVVOedsFBOiZooj6OumQ87f3Fg/edbONDXWpXK5AEArqwXbqGllzKn GSqs44L7N1ljy3wj2YTf+aVJRxAwbgc= =oLXP -----END PGP SIGNATURE----- --===============7618697840108990290==-- ]